PLATINUM has renamed rar.exe to avoid detection. ĭuring Operation Honeybee, the threat actors modified the MaoCheng dropper so its icon appeared as a Word document. įor Operation Dust Storm, the threat actors disguised some executables as JPG files. doc file extensions to mask malicious executables. ![]() NotPetya drops PsExec with the filename dllhost.dat. Nomadic Octopus attempted to make Octopus appear as a Telegram Messenger with a Russian interface. NativeZone has, upon execution, displayed a message box that appears to be related to a Ukrainian electronic document management system. Milan has used an executable named companycatalogue to appear benign. MenuPass has used esentutl to change file extensions to their true type that were masquerading as. LazyScripter has used several different security software icons to disguise executables. Lazarus Group has disguised malicious template files as JPEG files to avoid detection. Kimsuky has disguised its C2 addresses as the websites of shopping malls, governments, universities, and others. įoggyWeb can masquerade the output of C2 commands as a fake, but legitimately formatted WebP file. įlagpro can download malicious files with a. įatDuke has attempted to mimic a compromised user's traffic by using the same user agent as the installed browser. ĮnvyScout has used folder icons for malicious files to lure victims into opening them. ĭragonfly has created accounts disguised as legitimate backup and service accounts as well as an email administration account. ĭarkWatchman has used an icon mimicking a text file to mask a malicious executable. The Dacls Mach-O binary has been disguised as a. ![]() ĭuring C0015, the threat actors named a binary file compareForfor.jpg to disguise it as a JPG file. īRONZE BUTLER has masked executables with document file icons including Word and Adobe PDF. īoomBox has the ability to mask malicious data strings as PDF files. jpg extension that contained a malicious Visual Basic script. ĪPT32 has disguised a Cobalt Strike beacon as a Flash Installer. ![]() They have also used IP addresses originating from the same country as the victim for their VPN infrastructure. ĪPT29 has set the hostnames of its C2 infrastructure to match legitimate hostnames in the victim environment. ĪPT28 has renamed the WinRAR utility to avoid detection. AppleSeed can disguise JavaScript files as PDFs.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |